Skip to main content

Opensearch CVE-2023-31141

MEDIUM
Incorrect Authorization (CWE-863)
2023-05-08 security-advisories@github.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
May 08, 2023 - 21:15 nvd
MEDIUM 5.9

DescriptionNVD

OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.

AnalysisAI

OpenSearch is open-source software suite for search, analytics, and observability applications. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue. Affected products include: Amazon Opensearch, Amazon Opensearch Security.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2025-9624 HIGH POC
8.3 Nov 25

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string input

CVE-2023-23612 HIGH
8.8 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated high severity (CVSS 8.8), this vulnerability i

CVE-2022-35980 HIGH
7.5 Aug 12

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high seve

CVE-2023-23613 MEDIUM
6.5 Jan 26

OpenSearch is an open source distributed and RESTful search engine. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2022-41918 MEDIUM
6.3 Nov 15

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this v

CVE-2023-45807 MEDIUM
5.4 Oct 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 202

CVE-2023-25806 MEDIUM
5.3 Mar 02

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated medium se

CVE-2023-23933 MEDIUM
4.3 Feb 03

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. Rated medium severity (CVSS

CVE-2022-41917 MEDIUM
4.3 Nov 16

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this v

Share

CVE-2023-31141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy